Description

We noticed that one of our user's session info in django_session has it's expire date moved into the future periodically. We are not calling set_expiry() on the session. My understanding was that the expire date was a constant for a given session key -- it is set when the session is created and never changes unless set_expiry() is called.

While reading through the Django Sessions docs, though, I noticed this bit:

To change this default behavior, set the SESSION_SAVE_EVERY_REQUEST setting to True. If SESSION_SAVE_EVERY_REQUEST is True, Django will save the session to the database on every single request.
Note that the session cookie is only sent when a session has been created or modified. If SESSION_SAVE_EVERY_REQUEST is True, the session cookie will be sent on every request.
Similarly, the expires part of a session cookie is updated each time the session cookie is sent.

Does this mean that the cookie is sent whenever the session data changes and that this triggers the expiration date to move forward? If so, why is that? It seems that's the wrong behavior since I would think the expiration of someone's remembered login etc would have nothing to do with when the session data was last updated.

Oldest firstNewest firstThreaded

Comments only

Change History (2)

The session expiry age is the period of inactivity after which the session will expire. The documentation could arguably be clarified to make this clearer, but the behaviour you're seeing is correct: every change to the session indicates it is not idle.

Should I open a docs ticket? The current docs make it sound (to me at least) like some of the expiration dates are absolute -- for example, passing a datetime to set_expiry says the session will expire at that datetime, no if ands or buts. But that doesn't sound like it's the case. Similarly, the setting SESSION_COOKIE_AGE says how long the session should live, not that every write to the session will push the expiration date out this many seconds.